18689 – Reproducible crash when writing a document into itself

Bug 18689 - Reproducible crash when writing a document into itself

Summary: Reproducible crash when writing a document into itself

Status:	RESOLVED DUPLICATE of bug 15123

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	312.x
Hardware:	All OS X 10.5

Importance:	P1 Major
Assignee:	WebKit Security Group

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2008-04-22 18:11 PDT by Mark Piper
Modified:	2011-02-03 09:33 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Piper 2008-04-22 18:11:57 PDT

The following script appears to crash any webkit based browser when provided by an HTML file or delivered via a XSS etc. Additional abstract behaviour can be observed by placing a large HTML payload after the body tag.  

--- begin script --- 
document.writeln(window.document.body.innerHTML);
-- end script -- 

--- begin html file --- 
<body>
AAAAAAAA

<script> document.writeln(window.document.body.innerHTML);</script>

</body>
--- end html file ---

Comment 1 Mark Rowe (bdash) 2008-04-24 15:11:21 PDT

<rdar://problem/5888128>

Comment 2 Alexey Proskuryakov 2008-04-29 10:04:29 PDT

Reproducible crash -> P1.

Comment 3 chris reiss 2011-01-11 08:58:04 PST

This appears to have the same root cause as https://bugs.webkit.org/show_bug.cgi?id=15123 - there is no recursion check in WebCore::Document::write( ).

I'll have a patch for 15123 soon, suggest marking this bug as duplicate.

Comment 4 chris reiss 2011-02-03 08:38:00 PST

This bug is closed by http://trac.webkit.org/changeset/77333

Comment 5 Adam Barth 2011-02-03 09:33:55 PST


*** This bug has been marked as a duplicate of bug 15123 ***